Price of a Bot Army Revealed Across Online Platforms
Key topics
The dark underbelly of online authentication was exposed when a study revealed the going rate for a "bot army" across various online platforms. Commenters weighed in on their own experiences with - or aversion to - SMS verification services, with some opting out of smartphone ownership altogether to avoid being tracked 24/7. Those who've dared to live without cell coverage described it as "blissfully tranquil," while others pointed out the catch-22 of needing SMS authentication for many online services. The discussion highlighted the tension between convenience and privacy in the digital age.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
4h
Peak period
42
0-12h
Avg / period
13.3
Based on 93 loaded comments
Key moments
- 01Story posted
Dec 14, 2025 at 11:09 AM EST
19 days ago
Step 01 - 02First comment
Dec 14, 2025 at 3:10 PM EST
4h after posting
Step 02 - 03Peak activity
42 comments in 0-12h
Hottest window of the conversation
Step 03 - 04Latest activity
Dec 19, 2025 at 12:36 AM EST
15 days ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Blissfully tranquil.
Tell support you’ve lost access to email and they might allow you to change it if you can still verify sms code
how would one "verify sms code" without a phone?
as considered by who? do banks accept a Twilio number as a valid number according to their security best practices?
You can just get a fliphone clamshell, they still do those and don't need a full smartphone (ironically the clamshell still runs android)
They boot fast and battery can be pulled after
This is how I do all the 2-factor that demands real SMS
- Google requires to scan QR code with a phone to create an account
- Facebook requires a 3D face scan
- VK requires to use mobile application
- Telegram requires to use mobile application
Desktop now feels like untrusted, shady device, used mostly by cybercriminals. Especially of you use Linux and enable "fingerprinting resistance" option.
> The average price of SMS verification for an online platform during the year-long study period running to July 2025 was ... just a fraction of that in the US ($0.26), UK ($0.10) and Russia ($0.08).
That's outdated. With new Russian legislation, most platforms removed support for Russian phone numbers, so now you cannot even find a service that allows to receive SMS to a Russian number. Futhermore, if you Google such services, it seems that they use the same provider because all of them do not have any working Russian numbers.
I doubt that stops the IRA tbh
This just a) increases the costs for attackers, which don't actually stop them; and b) means the poor amongst a population will be limited in who they can talk to. Very convenient, that. Don't want your peasants talking to citizens from other countries.
You probably have a super suspicious browser fingerprint and/or IP reputation and they're using those measures as a mitigation without denying outright. Use a normie browser and a normal internet connection and account creation works fine.
Their solution is to deanonymize communication, which you're probably familiar with. That's not a tool for social good, but for government power. We could give government virtually any power, if we assume it will be used only for good.
What's a solution to online manipulation that is actually a social good or cannot be misused? What's a freedom-promoting technology that can replace the disaster that is current social media?
Until similar process exist in digital space (read: is legally and culturally forced on SaaS vendors), 2FA is frankly dangerous - it demands standards of diligence and long-term care that not even government affairs do. The back-up codes users are instructed to print out and store securely? No other document in most people's lives requires such long-term protection.
Possible values for A = heroin, alcohol, tobacco, weed, porn, TV… B = addictive, causes cancer, has an effect on brain health, spreads HIV… C = using, consuming, eating, injecting…
Seems that this “people realizing” does not seem to work with other highly addictive chemicals or electronic media, since healing oneself from addiction requires far more than just “realizing” it is bad for you and the society. Perhaps there is a reason why we limit by law the sale of tobacco, drugs, alcohol and other highly addictive substances.
If you can sell guns and porn in kindergarten, well yes, you live in a very very ”liberal” society - one that is a dystopian hellhole, that is. Unless there is something very wrong with you, you do not want to live in such a society either. Therefore we have laws, regulations, social norms and taxation to limit unwanted behaviour as well as to protect those in the most precarious position. We all know for instance how mental illness affects likelyhood of addiction, or how such a simple thing as _pain_ made legions of people opioid addicts across the USA.
So no, it is not just few junkies that fail to realise.
And are there any comparable regulations on social media?
India has also always required buyers to submit their government IDs to buy SIM cards.
The Hunchback struggled with an apparent vacancy of physical beauty and the burden of exclusion. He constantly doom scrolled from the tower above looking down. The solution required everyone in town to have a literal fucking epiphany.
> The Complaint alleged that, from May 2013 through September 2019, Twitter encouraged its users to disclose their phone numbers and email addresses for security purposes, such as enabling two-factor authentication and establishing a method for recovering lost passwords. More than 140 million users provided their information to Twitter.
https://www.arnoldporter.com/en/perspectives/blogs/enforceme...
Creating a new GMail account will require a phone number now, except maybe through a few avenues which are rapidly being closed.
Signing up for popular social media services often requires a phone number.
Signing up for free trials on a lot of platforms requires a phone number.
Everyone knows it's not a perfect measure, but it substantially slows down bot and spammer signups. Even spammers who use these verification services may get an account created, but internally it will be assigned a higher index of suspicion and be more likely to be flagged. When services operate at Facebook or Google scale, they can start to notice when 30 accounts have used the same SMS verification phone number through one of these services in the past N days.
I know some people dislike being reminded of this, but I share it because I'm personally always grateful to notice a new edge of it in my own experience: it's perhaps a dimension of privilege (which is neither good nor bad, just something to know that one [might] have, often in some subtle or hidden dimensions and not in others)
https://cotsi.org/platforms?platform=ds&view=map I wish they showed a graph of services, but it seems like you can only view a graph of countries per service.
[1] https://www.science.org/doi/suppl/10.1126/science.adw8154/su...
[2] https://docs.google.com/spreadsheets/d/1Aialrzkl4kjk2WgQac5f...
The Vendors that actually got included in COTSI are these:
Vendor1 https://sms-activate.org/price 16,310,000 China Vendor3 https://5sim.net/ Vendor 5,137,000 China Vendor5 https://smshub.org/en/main 1,871,000 Indonesia Vendor7 https://smspva.com/ 1,212,000 Nigeria
Others got Reserved (and I guess maybe they'll be included eventually?)
Vendor4 https://sms-man.com/ 2,751,000 USA Vendor6 https://sms-activation-service.com/en/ 1,778,000 Russia Vendor9 https://2ndline.io/ 320,487 Vietnam
If you want I can shoe you the popup that asks for a number
In Germany, you have to give ISP customer providers (help centers) a copy of your passport ID in a live video stream to authenticate. That was introduced since 2013, for all SIM registrations.
So explain to me, again, how did this help reduce botnet traffic from Russia that uses proxy services of third parties that installed their proxy backdoors in free apps on the PlayStore under the disguise of marketing and advertisement?
I don't understand why Google does not get any critique for allowing so much malware to be officially deployed via their PlayStore? They don't give a damn, have a history of not caring, and are the only point in the supply chain that is the problem.
btw, may as well name and shame: the biggest culprit is Bright Data, formerly known as Luminati, also known as HolaVPN (the Chrome extension where they got their start, promising a VPN, routing traffic through a few DigitalOcean boxes, while selling each of their millions of users as a residential proxy endpoint to industrial scrapers). Nowadays they do the same but without the SPOF: they license their “SDK” to app developers, who launder the liability on their behalf.
I want the firewall to be some kind of middleware(?) for Go backends, so you can plug it in and can stop worrying. At least that's the idea.
It's similar probably to what cloudflare's DDoS protection is built like, but I'm focusing on Go backends first (my own use case) and am trying to make this as decentralizable as possible.
Is gonna take a bit until I'm confident that this approach will work, but I highly recommend eBPF for blocking and traffic analysis. It's insane what you can offload to the NIC, even when it's only partial support and not fully supporting XDP.
There's nothing set in stone, as you have to ensure that 24hrs later they get a chance again, so bans will be temporary first and will be permanent only for repeating offenders.
I find it amusingly apt that research into fake accounts is done by someone who people must regularly assume is a fake name.
You'd have to carry ID all the time with a name like that.
The post focuses on SMS verification, which based on the general level of costs makes sense. A KYC-verified Binance account costs a lot more than they list. But if they're only counting the cost for SMS verification, why would it depend on service? Wouldn't only the phone number's country matter?
[1] My favorite mitigation was a machine that accepted the TCP connection from a bot address and just never responded after that (except to keep alives) I think the longest client we had hung that way had been waiting for over 3 months for a web page that never arrived. :-)